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Abstract. One of the main challenges in software verification is efficient and 
precise compositional analysis of programs with procedures and loops. Interpo- 
lation methods remains one of the most promising techniques for such verifica- 
tion, and are closely related to solving Horn clause constraints. We introduce a 
new notion of interpolation, disjunctive interpolation, which solve a more general 
class of problems in one step compared to previous notions of interpolants, such 
as tree interpolants or inductive sequences of interpolants. We present algorithms 
and complexity for construction of disjunctive interpolants, as well as their use 
within an abstraction-refinement loop. We have implemented Horn clause verifi- 
cation algorithms that use disjunctive interpolants and evaluate them on bench- 
marks expressed as Horn clauses over the theory of integer linear arithmetic. 



1 Introduction 

Software model checking has greatly benefited from the combination of a number 
of seminal ideas: automated abstraction through theorem proving [13 |, exploration of 
finite-state abstractions, and counterexample-driven refinement |3|. Even though these 
techniques can be viewed independently, the effectiveness of verification has been con- 
sistently improving by providing more sophisticated communication between these 
steps. Often, carefully chosen search aspects are being pushed into a learning-enabled 
constraint solver, resulting in better overall verification performance. An essential ad- 
vance was to use interpolants derived from unsatisfiability proofs to refine the abstrac- 



tion 1 18|. In recent years, we have seen significant progress in interpolating methods 
for different logical constraints |5 , 8 9 22], and a wealth of more general forms of in- 
terpolation ||T|[T7]|2^. In this paper we identify a new notion, disjunctive interpolants, 
which are more general than tree interpolants and inductive sequences of interpolants. 
Like tree interpolation 1 17 , 22|, a disjunctive interpolation query is a tree-shaped con- 
straint specifying the interpolants to be derived; however, in disjunctive interpolation, 
branching in the tree can represent both conjunctions and disjunctions. We present an 
algorithm for solving the interpolation problem, relating it to a subclass of recursion- 
free Horn clauses. We then consider solving general recursion-free Horn clauses and 
show that this problem is solvable whenever the logic admits interpolation. We estab- 
lish tight complexity bounds for solving recursion-free Horn clauses for propositional 
logic (PSPACE) and for integer linear arithmetic (co-NEXPTIME). In contrast, the dis- 
junctive interpolation problem remains in coNP for these logics. We also show how 
to use solvers for recursion-free Horn clauses to verify recursive Horn clauses using 
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counterexample-driven predicate abstraction. We present an algorithm and experimen- 
tal results on publicly available benchmarks. 



1.1 Related Work 



There is a long line of research on Craig interpolation methods, and generalised forms 
of interpolation, tailored to verification. For an overview of interpolation in the pres- 
ence of theories, we refer the reader to |j8][9). Binary Craig interpolation for impli- 
cations A ^ C goes back to fTOl, was carried over to conjunctions A A B in |23|, 
and generalised to inductive sequences of interpolants in [18, ,24] . The concept of tree 
interpolation, strictly generalising inductive sequences of interpolants, is presented in 
the documentation of the interpolation engine iZ3 l^^'l; the computation of tree inter- 
polants by computing a sequence of binary interpolants is also described in [17J . In 
this paper, we present a new form of interpolation, disjunctive interpolation, which is 
strictly more general than sequences of interpolants and tree interpolants. Our imple- 
mentation supports Presburger arithmetic, including divisibility constraints |8J, which 
is rarely supported by existing tools, yet helpful in practice p9) . 

A further generalisation of inductive sequences of interpolants are restricted DAG 
interpolants |1J, which also include disjunctiveness in the sense that multiple paths 
through a program can be handled simultaneously. Disjunctive interpolants are incom- 
parable in power to restricted DAG interpolants, since the former does not handle in- 
terpolation problems in the form of DAGs, while the latter does not subsume tree inter- 
polation. A combination of the two kinds of interpolants ("disjunctive DAG interpola- 



tion") is strictly more powerful (and harder) than disjunctive interpolation, see Sect. 5.1 
for a complexity-theoretic analysis. We discuss techniques and heuristics to practically 
handle shared sub-trees in disjunctive interpolation, extending the benefits of DAG in- 
terpolation to recursive programs. 

Inter-procedural software model checking with interpolants has been an active area 
of research. In the context of predicate abstraction, it has been discussed how well- 
scoped invariants can be inferred |18] in the presence of function calls. Based on the 
concept of Horn clauses, a predicate abstraction-based algorithm for bottom-up con- 
struction of function summaries was presented in | [T4| . Verification of programs with 
procedures is described in jTTj (using nested word automata) as well as in |2|. 

The use of Horn clauses as intermediate representation for verification was pro- 
posed in 1 15 1, with the verification of concurrent programs as main application. The 
underlying procedure for solving sets of recursion-free Horn clauses, over the com- 
bined theory of linear rational arithmetic and uninterpreted functions, was presented 
in | [T6| . A range of further applications of Horn clauses, including inter-procedural 
model checking, was given in 1 14|. Horn clauses are also proposed as intermediate/ex- 
change format for verification problems in [4|, and are natively supported by the SMT 
solver Z3 1 11 ]. Our paper extends this work by giving general results about solvability 
and computational complexity, independent of any particular calculus. Our experiments 
are with linear integer arithmetic, arguably a more faithful model of discrete computa- 
tion than rationals 1191. 
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(1) merge(X,Y,Z) ^ X = A Y >= A Z = Y 

(2) merge(X,YZ) ^Y = 0aX>=0aZ = X 

(3) merge(X,YZ) <- Y1 = Y - 1 A merge(X, Y1 , Z1 ) A Z = Z1 + 1 

(4) merge(X,YZ) «- X1 = X - 1 A merge(X1 , Y Z1 ) A Z = Z1 + 1 

(5) false ^ merge(X,YZ) a Z > X + Y 

Fig. 1. Horn Clauses Abstracting the Merge of Two Sorted Lists and an Assertion on Resulting 
Length. Variables are universally quantified in each clause. 

(1) merge(X,YZ) ^ X = A Y >= A Z = Y 

(3') mergel (X,YZ) ^ Y1 = Y - 1 A merge(X, Y1 , Z1 ) A Z = Z1 + 1 

(4') mergel (X,YZ) ^ X1 = X - 1 A merge(X1 , Y Z1 ) A Z = Z1 + 1 

(5') false ^ mergel (X,YZ) a Z > X + Y 

Fig. 2. Extended recursion-free approximation of the Horn clauses in Fig.[T] 

2 Example: Verification of Recursive Predicates 

We start by showing how our approach can verify programs encoded as Horn clauses, 
by means of predicate abstraction and a theorem prover for Presburger arithmetic. Fig.[T] 
shows an example of a system of Horn clauses, generated by a straightforward length 
abstraction of a merge operation that accepts two sorted lists and produces a new one 
by merging them. Addition of an element increases the resulting length (Z) by one 
whereas the processing continues with one of the argument lists shorter. After invoking 
such an operation, we wish to check whether it is possible for the resulting length Z to 
be more than the sum of the lengths of the argument lists X + Y.ln general, we encode 
error conditions as Horn clauses with false in their head, and refer to such clauses as 
error clauses, although such clauses do not have a special semantic status in our system. 
When invoked with these clauses as input, our verification tool automatically identifies 
that the definition of merge as the predicate X + Y - Z > gives a solution to these 
Horn clauses. In terms of safety (partial correctness), this means that the error condition 
cannot be reached. 

Our approach uses counterexample-driven refinement to perform verification. In 
this example, the abstraction of Horn clauses starts with a trivial set of predicates, con- 
taining only the predicate false, which is assumed to be a valid approximation until 
proven otherwise. Upon examining a clause that has a concrete satisfiable formula on 
the right-hand side (e.g. X = A Y >= A Z = 7), we rule out false as the approx- 
imation of merge. In the absence of other candidate predicates, the approximation of 
merge becomes the conjunction of an empty set of predicates, which is true. Using this 
approximation the error clause is no longer satisfied. At this point the algorithm checks 
whether a true error is reached by directly chaining the clauses involved in comput- 
ing the approximation of predicates. This amounts to checking whether the following 
recursion-free subset of clauses has a solution: 

(1) merge(X,YZ) ^X = 0aY>=0aZ = Y 
(5) false ^ merge(X,YZ) a Z > X + Y 

The solution to above problem is any formula I{X, Y, Z) such that 
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I (X,Y,Z) ^X = 0aY>=0aZ = Y 
false <- l(X,Y,Z) A Z > X + Y 

This is precisely an interpolant of X - OaY >= OaZ = Y and Z > X+Y. If our algorithm 
picks the interpolant Z < X + Y, the subsequent check shows it to be a solution and the 
program is successfully verified (this is what happens in our current implementation). In 
general, however, there is no guarantee about which of the interpolants will be picked, 
so another valid solution is Pi{X,Y,Z) = Z - Y A X > 0. For illustration purposes, 
suppose Pi is the interpolant picked. The currently considered possible contradiction for 
Horn clauses is thereby eliminated, and Pi is added into a list of abstraction predicates 
for the relation merge. Because the predicates approximating merge are now updated, 
we consider the abstraction of the system in terms of these predicates. Because of the 
clause (2), however, P\ is not a conjunct in a valid approximation, which leads us to 
consider clauses (2) and (5) and add, for example, P2{X, Y,Z) = Z = X A Y > sls 
another predicate in the approximation of merge. Note, however, that both Pi and P2 
are ruled out as approximation of clause (3), so the following recursion-free unfolding 
is not solved by the approximation so far: 

(1) merge(X,YZ) ^ X = A Y >= A Z = Y 

(3') mergel (X,YZ) ^ Y1 = Y - 1 A merge(X, Y1 , Z1 ) A Z = Z1 + 1 

(5') false <- mergel (X,YZ) a Z > X + Y 

This particular problem could be reduced to solving an interpolation sequence, but it is 
more natural to think of it simply as a solution for recursion-free Horn clauses. A solu- 
tion is an interpretation of the relations merge and mergel as ternary relations on inte- 
gers, such that the clauses are true. Note that this problem could also be viewed as the 
computation of tree interpolants, which are also a special case of solving recursion-free 
Horn clauses, as are DAG interpolants and a new notion of disjunctive tree interpolants 



that we introduce. The general message, in line with 1 14 161 is that recursion-free 
clauses are a perfect fit for counterexample-driven verification: they allow us to provide 
the theorem proving procedure with much more information that they can use to refine 
abstractions. In fact, we could also provide further recursion-free approximations, such 
as in Fig. [2] In the limit, the original set of clauses or its recursive unfoldings are its own 
approximations, some of them exact, but the advantage of recursion-free Horn clauses is 
that their solvability is decidable under very general conditions. This provides us with a 
solid theorem proving building block to construct robust and predictable solvers for the 
undecidable recursive case. Our paper describes a new such building block: disjunctive 
interpolants, which correspond to a subclass of non-recursive Horn clauses. 



3 Formulae and Horn Clauses 

Constraint languages. Throughout this paper, we assume that a first-order vocabulary 
of interpreted symbols has been fixed, consisting of a set T of fixed-arity function 
symbols, and a set P of fixed-arity predicate symbols. Interpretation of T and V is 
determined by a class S of structures (f/, /) consisting of non-empty universe U, and 
a mapping / that assigns to each function in !F a set-theoretic function over U, and 
to each predicate in 'P a set-theoretic relation over U. As a convention, we assume 
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the presence of an equation symbol "=" in V, with the usual interpretation. Given a 
countably infinite set X of variables, a constraint language is a set Constr of first- 
order formulae over T, V, X For example, the language of quantifier-free Presburger 
arithmetic has :r = {+,-, 0, 1,2, . . .) and r = {=, <, |)). 

A constraint is called satisfiable if it holds for some structure in S and some as- 
sigrmient of the variables X, otherwise unsatisfiable. We say that a set r c Constr of 
constraints entails a constraint e Constr if every structure and variable assignment 
that satisfies all constraints in F also satisfies (jy; this is denoted by /" |= 

/v(0) denotes the set of free variables in constraint We write (j)[x\ , . . . , x„] to state 
that a constraint contains (only) the free variables xi, . . . , x„, and 4'[h,- ■ for the 
result of substituting the terms t\,...,tn for xi, . . . , x„. Given a constraint containing 
the free variables Xi, . . . , x„, we write Cls/{(p) for the universal closure Vxi, ...,x„.</>. 

Positions. We denote the set of positions in a constraint (f> by positions{<p). For instance, 
the constraint at\^a has 4 positions, corresponding to the sub-formulae a A -la, and 
the two occurrences of a. The sub-formula of a formula underneath a position p is 
denoted by J, and we write <p[p/iff] for the result of replacing the sub-formula <f>ip 
with i/r. Further, we write p < q\f position p is above q (that is, q denotes a position 
within the sub-formula (pip), and p < q '\f p is strictly above q. 

Craig interpolation is the main technique used to construct and refine abstractions in 
software model checking. A binary interpolation problem is a conjunction A A B of 
constraints. A Craig interpolant is a constraint / such that A \^ I and B |= -i/, and 
such that /v'(/) c fv{A) r\fv(B). The existence of an interpolant implies that A A B is 
unsatisfiable. We say that a constraint language has the interpolation property if also 
the opposite holds: whenever A A B is unsatisfiable, there is an interpolant /. 

3.1 Horn Clauses 

To define the concept of Horn clauses, we fix a set H of uninterpreted fixed-arity relation 
symbols, disjoint from V and T. A Horn clause is a formula C A Bi A ■ ■ ■ A B„ H 
where 

- C is a constraint over T, P, X; 

- each B, is an appUcation p{t\ , . . . , of a relation symbol p eKto first-order terms 

over f^, X; 

- H is similarly either an application p(ti, . . . J^) of p e 'R to first-order terms, or is 
the constraint ^/ie. 

His called the head of the clause, C A Bi A • • • A B„ the body. In case C = true, we usually 
leave out C and just write Bi A ■ ■ ■ A B„ — > //. First-order variables (from X) in a clause 
are considered implicitly universally quantified; relation symbols represent set-theoretic 
relations over the universe 1/ of a structure (U, I) e S. Notions like (un)satisfiabiUty and 
entailment generalise straightforwardly to formulae with relation symbols. 

A relation symbol assignment is a mapping sol : K ^ Constr that maps each n-ary 
relation symbol p e to a constraint sol{p) = Cp[xi, . . . , x„] with n free variables. The 
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instantiation solQi) of a Horn clause h is defined by: 

sol{C A pidi) A ■ ■ ■ A p„(t„) pit)) = C A sol(pi)[ti] A ■ ■ ■ A io/(/?„)[f„] sol(p)[t] 
sol{C A A ■ ■ ■ A p„(t„) false) - C A sol(pi)[ii] A ■ ■ ■ A sol(p„)[in] — > /a/ie 

Definition 1 (Solvability). Lef '7/C be a set of Horn clauses over relation symbols ft 

1. "HC is called semantically solvable if for every structure (JJ,I) e S there is an 
interpretation of the relation symbols "R as set-theoretic relations over U such the 
universally quantified closure Cl\/(h) of every clause h e "HC holds in (U, I). 

2. A "HC is called syntactically solvable if there is a relation symbol assignment sol 
such that for every structure (U,I) € S and every clause h € 'HC it is the case that 
Cl\/{sol{h)) is satisfied. 

Note that, in the special case when S contains only one structure, S - {(t/, /)}, 
semantic solvability reduces to the existence of relations interpreting H that extend the 
structure {U, I) in such a way to make all clauses true. In other words, Horn clauses 
are solvable in a structure if and only if the extension of the theory of i U, I) by relation 
symbols H in the vocabulary and by given Horn clauses as axioms is consistent. 

Clearly, if a set of Horn clauses is syntactically solvable, then it is also semanti- 
cally solvable. The converse is not true in general, because the solution need not be 
expressible in the constraint language (see Appendix |E] for an example). 

A set 'HC of Horn clauses induces a dependence relation -^■uc on defining 
P —^-Hc 1 if there is a Horn clause in 'HC that contains p in its head, and q in the 
body. The set "HC is called recursion-free if — »,hc is acyclic, and recursive otherwise. 
In the next sections we study the solvability problem for recursion-free Horn clauses. 
This case is relevant, since solvers for recursion-free Horn clauses form a main compo- 
nent of many general Horn-clause-based verification systems 1 14 15). 



4 Disjunctive Interpolants and Body-Disjoint Horn Clauses 

Having defined the classical notions of interpolation and Horn clauses, we now present 
our notion of disjunctive interpolants, and the corresponding class of Horn clauses. Our 
inspiration are generalized forms of Craig interpolation, such as inductive sequences of 
interpolants p8l[24) or tree interpolants p7]|22) . We introduce disjunctive interpolation 
as a new form of interpolation that is tailored to the refinement of abstractions in Horn 
clause verification, strictly generalising both inductive sequences of interpolants and 
tree interpolation. Disjunctive interpolation problems can specify both conjunctive and 
disjunctive relationships between interpolants, and are thus applicable for simultaneous 
analysis of multiple paths in a program, but also tailored to inter-procedural analysis or 
verification of concurrent programs p4) . 

Disjunctive interpolation problems correspond to a specific fragment of recursion- 



free Horn clauses, namely recursion-free body-disjoint Horn clauses (see Sect. 4. 1 1. The 
definition of disjunctive interpolation is chosen deliberately to be as general as possible, 
while still avoiding the high computational complexity of solving general systems of 
recursion-free Horn clauses. Computational complexity is discussed in Sect.|5.1| 
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We introduce disjunctive interpolants as a means of sub-formula abstraction. For 
example, given an unsatisfiable constraint containing c as a sub-formula in a pos- 
itive position, the goal is to find an abstraction a' such that a \= a' and a[a'] \^ false, 
and such that a' only contains variables common to a and (p[true]. Generahzing this to 
any number of subformulas, we obtain the following. 



Definition 2 (Disjunctive interpolant). Let <p be a constraint, and pos c positions(<p) 
a set of positions in cf> that are only underneath the connectives A and V. A disjunctive 
interpolant is a map I : pos — > Constr from positions to constraints such that: 



1. For each position p € pos, with direct children 

[q\, . . . , q„] - [q E pos \ p < q and -i3r € pos. p < r < q] we have 



i<f>[q,/I{qi),...,qJI{q„)])ip N /(p) , 



2. For the topmost positions {^i, . . . , q„} — {q e pos \ -i3r e pos. r < q} we have 



4>[qi/i(qi),---,qn/i(qn)] N false. 



3. For each position p € pos, we have fv{I(p)) Cfir((f)lp) nfvicplp/true]). 



Example 1. Consider Ap A B, with position p pointing to the sub-formula A, and pos = 
{p}. The disjunctive interpolants for A A B and pos coincide with the ordinary binary 
interpolants for A A B. 



Example 2. Consider the formula (p - {■ ■ ■ {{{Ti)^^ A T2)p^ A T^)^^ ' ' ' )p _i ^ ^« 
positions pos - {p\,. . . ,pn-\]- Disjunctive interpolants for (p and pos correspond to 
inductive sequences of interpolants [ 1 8 , 24 1 . Note that we have the entailments 
Ji N I{pA /(Pi) a 7^2 N lipi), • • • , A T„ ^ false. 



Example 3. A tree interpolation problem | [T7p2) is given by a finite directed tree (V, E), 
writing ^(v, v') to express that the node v' is a direct child of v, together with a function 

: y — > Constr that labels each node v of the tree with a constraint <p{v). A tree 
interpolant is a function 7 : V — > Constr such that 1 . /(vq) = false for the root node 
vo e V, 2. for any node v e V, the entailment <p{v) A A(i.,w)e£ ^i^) N Hv), holds, and 
3. for any node v e V, every variable in I(v) occurs both in some formula (piw) for w 
such that E*{v, w), and in some formula (piw') for some w' such that -^E*{v, w'). (E* is 
the reflexive transitive close of E). 

It can be shown that a tree interpolant / exists if and only if Aigv ipi"^) is unsatisfi- 
able. Tree interpolation problems 1 17 22] correspond to disjunctive interpolation with 
a set pos of positions that are only underneath A (and never underneath V). 



Example 4. We consider the example given in Fig. |2] Sect. [2] To compute a solution 
for the Horn clauses, we first expand the Horn clauses into a constraint, by means of 
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exhaustive inhning (see Sect.|5]l, obtaining a disjunctive interpolation problem: 



false 



merge-\(X,Y,Z) AZ>X+Y 
'Fl = y - 1 A merge(X, n,Zl) AZ = Z1 + 1 




[Xl^X-lA merge(Xl,F,Zl) AZ = Zl + 1 j 

' Fl = y - 1 A (X = A Fl >= A Zl = Yl)g A Z = Zl + 1 



V 



AZ>z+y 



XI = X - 1 A (XI = A y A Zl = y), A z = Zl + 1 j 



In the last formula, the positions p,q,r corresponding to the relation symbol mergel 
and the two occurrences of merge are marked. It can be observed that the last formula 
is unsatisfiable, and that / = {p i-> X + y > Z, q^-^X + Yl>Zl, r XI + y > Zl} 
is a disjunctive interpolant. A solution for the Horn clauses can be derived from the 
interpolant by conjoining the constraints derived for the two occurrences of merge: 

merge1(X, Y,Z)^X + Y>Z, merge(X, y,Z)= X + y>ZAX + y>Z 

=x+y >Z 

Theorem 1. Suppose <p is a constraint, and suppose pos c positions(4>) is a set of 
positions in (p that are only underneath the connectives A and V. IfConstr is a constraint 
language that has the interpolation property, then a disjunctive interpolant I exists for 
(p and pos if and only if <p is unsatisfiable. 

Proof. "=>" By means of simple induction, we can derive that 4> i P \^ I{p) holds for 
every disjunctive interpolant / for (p and pos, and for every p e pos. From Def.|2] it then 
follows that (f) is unsatisfiable. 

Suppose 4> is unsatisfiable. We encode the disjunctive interpolation problem 
into a (conjunctive) tree interpolation problem 1 17 22| (also see Example |3]l by adding 
auxiliary Boolean variables. Wlog, we assume that pos contains the root position root 
of (p. The graph of the tree interpolation problem is (pos,E), with the edge relation 
E - {(p,q) \ p < q and -3r.p < r < q]. For every p e pos, let ap be a fresh Boolean 
variable. We label the nodes of the tree using the function : pos — > Constr. For each 
position p G pos, with direct children {q\,...,q„] - {q & pos \ E(p, q)] we define 



polant Ij exists for this labelling function. By construction, for non-root positions p e 
pos \ {root} the interpolant labelling is equivalent to hip) = ~^ap V Ip, where Ip does 
not contain any further auxiliary Boolean variables. We can then construct a disjunctive 
interpolant / for the original problem as 




a tree inter- 




\false if p - root 
\lp otherwise 
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To see that / is a disjunctive interpolant, observe that for each position p e pos with 
direct children {^i, . . . , q„] - [q e pos \ E(p, q)} the following entailment holds (since 
Ij is a tree interpolant): (piip) A i^aq, V 7^^,) A ■ ■ ■ A (-la^y,, V I^J \= hip) 
Via Boolean reasoning this implies: {4'[q\ /tq,, - ■ ■, qn I Iq„ ])ip N Kp)- n 



4.1 Solvability of Body-Disjoint Horn Clauses 

The relationship between Craig interpolation and (syntactic) solutions of Horn clauses 
has been observed in (161. Disjunctive interpolation corresponds to a specific class of 
recursion-free Horn clauses, namely Horn clauses that are body disjoint: 

Definition 3. A finite, recursion-free set 'HC of Horn clauses is body disjoint if for each 
relation symbol p there is at most one clause containing p in its body, and every clause 
contains p at most once. 

An example for body-disjoint clauses is the subset {(1), (2), (5)) of clauses in Fig. [T[ 
Syntactic solutions of a set 'HC of body-disjoint Horn clauses can be computed by 
solving a disjunctive interpolation problem; vice versa, every disjunctive interpolation 
problem can be translated into an equivalent set of body-disjoint clauses. 

In order to extract an interpolation problem from "HC, we first normalise the clauses: 
for every relation symbol p € "R, we fix a unique vector of variables Xp, and rewrite '7/C 
such that p only occurs in the form pixp). This is possible due to the fact that 'HC is 
body disjoint. The translation from Horn clauses to a disjunctive interpolation problem 
is done recursively, similar in spirit to inlining of function invocations in a program; 
thanks to body-disjointness, the encoding is polynomial. 

enci'HC) = \J C A enc'(Bi) A ■ ■ ■ A enc'(B„) 

(CABi A-AB„^false) e'HC 

f \ 

enc'{p{xp)) - \J C A enc'(Bi) A ■ ■ ■ A enc'(B„) 

^(CABiA-/\B„^p{Xp))eHC ), 

Note that the resulting formula encCHC) contains a unique position Ip at which the def- 
iirition of a relation symbol p is inlined; in the second equation, this position is marked 
with Ip. Any disjunctive interpolant / for this set of positions represents a syntactic 
solution of 'HC, and vice versa. 



5 Solvability of Recursion-free Horn Clauses 

The previous section discussed how the class of recursion-free body-disjoint Horn 
clauses can be solved by reduction to disjunctive interpolation. We next show that this 
construction can be generalised to arbitrary systems of recursion-free Horn clauses. In 
absence of the body-disjointness condition, however, the encoding of Horn clauses as 
interpolation problems can incur a potentially exponential blowup. We give a complexity- 
theoretic argument justifying that this blowup cannot be avoided in general. This puts 
disjunctive interpolation (and, equivalently, body-disjoint Horn clauses) at a sweet spot: 
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preserving the relatively low complexity of ordinary binary Craig interpolation, while 
carrying much of the flexibility of the Horn clause framework. 

We first introduce the exhaustive expansion expCHC) of a set 'HC of Horn clauses, 
which generalises the Horn clause encoding from the previous section. We write C A 
B'j A ■ ■ ■ A BJ, — > //' for a fresh variant of a Horn clause C A Bi A ■ ■ ■ A B„ — > H, 
i.e., the clause obtained by replacing all free first-order variables with fresh variables. 
Expansion is then defined by the following recursive functions: 

exp{9<C) = \J C Aexp'(B\) A--- Aexp'(B'„) 

(CABiA--AB„^./fl/jc) eVfC 

exp'{p(T)) - \J C' A exp'{B[) A ■ ■ ■ A exp'{B'^) At - s' 

(CaBiA--aB„->p(s)) eVfC 

Note that exp is only well-defined for finite and recursion-free sets of Horn clauses, 
since the expansion might not terminate otherwise. 

Theorem 2 (Solvability of recursion-free Horn clauses). Let 'HC be a finite, recursion- 
free set of Horn clauses. If the underlying constraint language has the interpolation 
property, then the following statements are equivalent: 

1. 'HC is semantically solvable; 

2. 'HC is syntactically solvable; 

3. expCHC) is unsatisfiable. 

Proof. 2 1 holds because a syntactic solution gives rise to a semantic solution by 
interpreting the solution constraints. -i3 -il holds because a model of expCHC) wit- 
nesses domain elements that every semantic solution of 'HC has to contain, but which 
violate at least one clause of the form C A Bi A ■ ■ ■ A B„ — > false, implying that no 
semantic solution can exist. 3 2 is shown by encoding 'HC into a disjunctive inter- 
polation problem (Sect. [4]), which can solved with the help of Theorem[T] To this end, 
clauses are first duplicated to obtain a problem that is body-disjoint, and subsequently 
normalised as described in Sect. 4.1 More details are given in Appendix [A] □ 



5.1 The Complexity of Recursion-free Horn Clauses 

Theorem |2] gives rise to a general algorithm for (syntactically) solving recursion-free 
sets 'HC of Horn clauses, over constraint languages for which interpolation procedures 
are available. The general algorithm requires, however, to generate and solve the ex- 
pansion expCHC) of the Horn clauses, which can be exponentially bigger than 'HC (in 
case 'HC is not body disjoint), and might therefore require exponential time. This leads 
to the question whether more efficient algorithms are possible for solving Horn clauses. 

We give a number of complexity results about (semantic) Horn clause solvability; 
proofs of the results are given in Appendix |B]|Cj and|D] Most importantly, we can ob- 
serve that solvability is PSPACE-hard, for every non-trivial constraint language Conifrl^ 



A similar observation was made in the introduction of (2V\, for the case of programs with 
procedures. 
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Lemma 1. Suppose a constraint language can distinguish at least two values, i.e., there 
are two ground terms to and ti such that fo ^ ti is satisfiable. Then the semantic solv- 
ability problem for recursion-free Horn clauses is PSPACE-hard. 

Looking for upper bounds, it is easy to see that solvability of Horn clauses is in 
co-NEXPTIME for any constraint language with satisfiability problem in NP (for in- 
stance, quantifier-free Presburger arithmetic). This is because the size of the expan- 
sion expCHC) is at most exponential in the size of 'HC. Individual constraint languages 
admit more efficient solvability checks: 

Theorem 3. Semantic solvability of recursion-free Horn clauses over the constraint 
language of Booleans is PSPACE-complete. 

Constraint languages that are more expressive than the Booleans lead to a significant 
increase in the complexity of solving Horn clauses. The lower bound in the following 
theorem can be shown by simulating time-bounded non-deterministic Turing machines. 

Theorem 4. Semantic solvability of recursion-free Horn clauses over the constraint 
language of quantifier- free Presburger arithmetic is co-NEXPTIME-complete. 

The lower bounds in Lemma [T] and Theorem |4] hinge on the fact that sets of Horn 
clauses can contain shared relation symbols in bodies. Neither result holds if we restrict 
attention to body-disjoint Horn clauses, which correspond to disjunctive interpolation 
as introduced in Sect.|4] Since the expansion expCHC) of body-disjoint Horn clauses is 
linear in the size of the set of Horn clauses, also solvability can be checked efficiently: 

Theorem 5. Semantic solvability of a set of body-disjoint Horn clauses, and equiv- 
alently the existence of a solution for a disjunctive interpolation problem, is in co-NP 
when working over the constraint languages of Booleans and quantifier-free Presburger 
arithmetic. 

Body-disjoint Horn clauses are still expressive: they can directly encode acyclic control- 
flow graphs, as well as acyclic unfolding of many simple recursion patterns. 
For proofs of all results of this section, please consult the Appendix. 

6 Model Checking with Recursive Horn Clauses 

Whereas recursion-free Horn clauses generalise the concept of Craig interpolation, 
solving recursive Horn clauses corresponds to the verification of general programs with 
loops, recursion, or concurrency features p4) . Procedures to solve recursion-free Horn 
clauses can serve as a building block within model checking algorithms for recursive 
Horn clauses |14|, and are used to construct or refine abstractions by analysing spu- 
rious counterexamples. In particular, our disjunctive interpolation can be used for this 
purpose, and offers a high degree of flexibility due to the possibility to analyse coun- 
terexamples combining multiple execution traces. We illustrate the use of disjunctive 
interpolation within a predicate abstraction-based algorithms for solving Horn clauses. 
Our model checking algorithm is similar in spirit to the procedure in |14J, and we ex- 
plain it in Sect. |6.1| 
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And/or trees of clauses. For sake of presentation, in our algorithm we represent coun- 
terexamples (i.e., recursion-free sets of Horn clauses) in the form of and/or trees labelled 
with clauses. Such trees are defined by the following grammar: 

AOTree And{h,AOTree, . . . ,AOTree) \ OHAOTree, . . . ,AOTree) 

where h ranges over (possibly recursive) Horn clauses. We only consider well-formed 
trees, in which the children of every And-nodt have head symbols that are consistent 
with the body literals of the clause stored in the node, and the sub-trees of an (9r-node 
all have the same head symbol. And/or trees are turned into body-disjoint recursion-free 
sets of clauses by renaming relation symbols appropriately. 

Example 5. Referring to the clauses in Fig.[T[ a possible and/or tree is 
And{i5), AndiO), OriAnd{{\)), And{{2))))) 

A corresponding set of body-disjoint recursion-free clauses is: 

(1 ') merge2(X,Y,Z) «-X = 0aY>=0aZ = Y 

(2') merge2(X,YZ) «-Y = 0aX>=0aZ = X 

(3') mergel (X,YZ) ^ Y1 = Y - 1 A merge2(X, Y1 , Z1 ) A Z = Z1 + 1 

(5') false ^ mergel (X,YZ) a Z > X + Y 



Solving andjor dags. Counterexamples extracted from model checking problems often 
assume the form of and/or dags, rather than and/or trees. Since and/or-dags correspond 
to Horn clauses that are not body-disjoint, the complexity-theoretic results of the last 
section imply that it is in general impossible to avoid the expansion of and/or-dags 
to and/or-trees; there are, however, various effective techniques to speed-up handling 
of and/or-dags (somewhat related to the techniques in |21 1). We highlight two of the 
techniques we use in our interpolation engine Princess ijSj/which we used in our exper- 
imental evaluation of the next section: 

7 ) counterexample-guided expansion expands and/or-dags lazily, until an unsatisfi- 
able fragment of the fully expanded tree has been found; such a fragment is sufficient to 
compute a solution. Counterexamples can determine which or-branch of an and/or-dag 
is still satisfiable and has to be expanded further. 

2) and/or dag restructuring factors out common sub-dags underneath an Or-node, 
making the and/or-dag more tree-like. 



6.1 A Predicate Abstraction-based Model Checking Algorithm 

Our model checking algorithm is in Fig. [3] and similar in spirit as the procedure in 1 14 1; 
it has been implemented in the model checker Eldarica|^Solutions for Horn clauses are 
constructed in disjunctive normal form by building an abstract reachability graph over 
a set of given predicates. When a counterexample is detected (a clause with consistent 
body literals and head false), a theorem prover is used to verify that the counterexample 



http : //lara . epf 1 . ch/w/eldarica 
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is genuine; spurious counterexamples are eliminated by generating additional predicates 
by means of disjunctive interpolation. 

In Fig. 1] 77 : :R ^ 2^ denotes a mapping from relation symbols to the current 
set of predicates used to approximate the relation symbol. Given a (possibly recursive) 
set TYC of Horn clauses, we define an abstract reachability graph (ARG) as a hyper- 
graph {S,E), where 

- S c {(p, Q) \ p & K, Q Q n{p)] is the set of nodes, each of which is a pair consisting 
of a relation symbol and a set of predicates. 

- £■ c 5 * X 'HC X 5 is the hyper-edge relation, with each edge being labelled with 
a clause. An edge E{{su s,,), K s), with h - (C A Bi A ■ ■ ■ A B„ ^ H) e "HC, 
implies that 

• •Si = (Pis Qi) and Bj - piiji) for all / = 1, . . . , n, and 

• s = {p, Q), H = pit), and g = {0 e Hip) | C A ei[fi] A ■ ■ ■ A Q„{t„] h m), 
where we write 2,[f,] for the conjunction of the predicates Qj instantiated for 
the argument terms f,-. 

An ARG iS,E) is called closed if the edge relation represents all Horn clauses in 
'HC. This means, for every clause h - (C A pi(ti) A ■ ■ ■ A p„(t„) H) e 'HC and every 
sequence ipuQi), ■ ■ ■ , (Pn, Qn) e 5 of nodes one of the following properties holds: 

- C A ei[fi] A ■ ■ ■ A Q„[t„] ^ false, or 

- there is an edge E{{{pi, Qi), . . . , (p„, Q„)), C, s) such that s = (p, Q), 77 = p(t), and 

e = {0 € n(p) I c A ei[fi] A ■ ■ ■ A Qdt„] N m)- 

Lemma 2. A set "HC of Horn clauses has a closed ARG (S,E) if and only ifHC is 
syntactically solvable. 

A proof is given in Appendix|F] The function ExtractCEX (non-deterministic ally) 
extracts an and/or-tree representing a set of counterexamples, which can be turned into a 



recursion-free body-disjoint set of Horn clauses, and solved as described in Sect. 4. 1 In 
general, the tree contains both conjunctions (from clauses with multiple body literals) 
and disjunctions, generated when following multiple hyper-edges (the case \T\ > 1). 
Disjunctions make it possible to eliminate multiple counterexamples simultaneously. 
The algorithm is parametric in the precise strategy used to compute counterexamples, 
choices evaluated in the experiments are 

TI extraction of a single counterexamples with minimal depth 

(which means that disjunctive interpolation reduces to Tree Interpolation), and 

DI simultaneous extraction of all counterexamples with minimal depth 
(so that genuine Disjunctive Interpolation is used). 

We remark that we have also implemented a simpler "global" algorithm (see Sect.|2|l, 
which approximates each relation symbol globally with a single conjunction of inferred 
predicates. In contrast, the above algorithm allows multiple nodes, each of which con- 
tains a different conjunction, thus allowing a disjunction of conjunctions of predicates. 
Both algorithms behave similarly in our experience, with the global one occasionally 
slower, but conceptually simpler Note that, what allowed us to use a simpler algorithm 
at all is the fact that the interpolation problem considered is more general. Thus, another 
advantage of more expressive forms of interpolation is the simplicity of the resulting 
verification algorithms built on top of them. 
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S := %, E := % > Empty graph 

function ConstructARG 
while true do 

pick clause h = (C A A • • • A p„(t„) -» //) 6 'HC 
and nodes (pi, gi), . . . , (p„, Q„) e S 
such that -.3.5. gi), . . . , (p„, Q„)},h, s) e E 
and C A ei[Fi] A ■ • • A false 

if no such clauses and nodes exist then return HC is solvable 

it H = false then > Refinement needed 

free := AndQi, ExtractCEX(pi, Qi), . . . , ExtractCEX(p„, Q„) 
if tree is unsatisfiable then 

extract disjunctive interpolant from tree, add predicates to 77 
delete part of (S, E) used to construct tree 
else return "HC is unsolvable, with counterexample trace tree 
else > Add edge to ARG 

then H = p(t) 

2:={<^ 6 77(p)|{ClueiU...ue„ N0) 
e:=({(puQi),...,(Pn,Qn)),h,{p, Q}) 
S :=5 U{(p,01, £:=£u{e) 

function ExTRACTCEX(rao/ : 5 ) > Extract disjunctive interpolation problem 

pick idtTQE with Ve eT.e = (_, _, rao/) 

return Or{ And(h, ExTRACTCEX(i-i ), . . . , ExTRACTCEX(i-„)) | ((i-j , . . . , s„}, h, root) e T } 
Fig. 3. Algorithm for construction of abstract reachability graphs. 



6.2 Experimental Evaluation 

We have evaluated our algorithm on a set of benchmark^ in integer linear arithmetic 



from the NTS library |20|. The (a) benchmarks are recursive algorithms, (b) bench- 
marks are extracted from programs with singly-linked lists, (c) benchmarks are models 
extracted from VHDL models of circuits, (d) benchmarks are verification conditions 
for programs with arrays, (e) benchmarks are in the NECLA static analysis suite, (f) 
C programs with asynchronous procedure calls translated into NTS using the approach 
of 1 12 1 (the examples with extension .opt are obtained via an optimised translation 
method [Pierre Ganty, personal communication]. The results are given in Fig.|4] 

The experiments show comparable verification times and performance for the Tree 
Interpolation and Disjunctive Interpolation runs. Studying the results more closely, we 
observed that DI consistently led to a smaller number of abstraction refinement steps 
(the scatter plot in Fig. |4]); this indicates that DI is indeed able to eliminate multiple 
counterexamples simultaneously, and to rapidly generate predicates that are useful for 
abstraction. The experiments also showed that there is a trade-off between the time 
spent generating predicates, and the quality of the predicates. In TI, on average 31% of 
the verification is used for predicate generation (interpolation), while with DI 42% is 
used; in some of the benchmarks in (f), this led to the phenomenon that DI was slower 
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(d) Verification conditions for 
array programs 1 7 1 
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Fig. 4. Benchmarks for model checking Horn clauses. The letter after the model name distin- 
guishes Correct from models with a reachable Error state. "-" indicates timeout. The scatter plot 
illustrates the required number of refinement steps, for the case of single counterexamples (TI) 
and simultaneous extraction of all minimal-depth counterexamples (DI). All experiments were 
done on an Intel Core 15 2-core machine with 3.2GHz and 8Gb, with a timeout of 500s. 
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than TI, despite fewer refinement steps. We expect this will change as we make further 
improvements to our prototypical implementation of disjunctive interpolation. 

We compared our results to the performance of HSpj^a sophisticated state-of-the-art 
verification engine for problems expressed as Horn clauses. We observe similar perfor- 
mance on many benchmarks, with HSF notably faster on many (f) benchmarks but the 
difference less pronounced for large benchmarks. We were unable to process with HSF 
the benchmarks in (a) containing modular arithmetic; we marked those with ERR. 



Conclusions 

We have introduced disjunctive interpolation as a new form of Craig interpolation tai- 
lored to model checkers based on the paradigm of Horn clauses. Disjunctive interpola- 
tion can be identified as solving body-disjoint systems of recursion-free Horn clauses, 
and subsumes a number of previous forms of interpolation, including tree interpolation 
and inductive sequences of interpolants. We believe that the flexibility of disjunctive in- 
terpolation is highly beneficial for building interpolation-based model checkers. In par- 
ticular, when implementing more intelligent techniques (than used in our experiments) 
to select sets of counterexamples handed over to interpolation, significant speed-ups can 
be expected. We plan to explore this direction in future work, together with improve- 
ments in the implementation of disjunctive interpolation itself. 
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A Solving Recursion-free Horn Clauses: Proof of Theorem |2] 

We outline a proof for Theorem |2] direction 3 => 2. Suppose the expansion expCHC) 
of a set 'KC of recursion-free Horn clauses is unsatisfiable. As before, we compute a 
solution of the Horn clauses separately for every connected component of the — ^•hc- 
graph. Wlog we can therefore assume that the — >.wc-graph is connected. 

Elimination of duplicated relation symbols. Furthermore, we can assume that every 
relation variable occurs at most once in the body of a clause. Otherwise we duplicate 
the relation variable (and all clauses defining it), and solve the resulting simpler system. 
E.g., if we have clauses 

p{x,y) f\ p(y,z) ^ Hx^z), q(x,y) ^ p{x,y), x>Q^q{x,x) 
we first expand the system to 

p\{x,y) A p2iy,z) r{x,z), 

q]_(x,y) ^ py{x,y), x > -> x), q2{x,y) ^ p2{x,y), x>0^q2(x,x) 

and solve the expanded system. Afterwards we construct a solution of the original sys- 
tem as 

Cp[x,y] = Cp^[x,y] ACp,[x,y], Cg[x,y] = Cg,[x,y] A Cq,[x,y] 

This is possible because the space of (syntactic) solutions of a Horn clause is closed 
under conjunction. 

Renaming of first-order variables and normalisation. We normalise the resulting clauses 



like in Sect. 4. 1 for every relation symbol p, we fix a unique vector of variables Xp, and 
rewrite 'HC such that p only occurs in the form p{xp)\ by renaming variables, we then 
ensure that every variable x that is not argument of a relation symbol occurs in at most 
one clause. 

Encoding into a disjunctive interpolation problem. The translation from Horn clauses 
to a disjunctive interpolation problem is done by adapting the expansion function exp 
from Sect.|5] 

enci'HC) = \/ C' A enc{Bi) A ■ ■ ■ A enc{B„) 

(Cab, A-AB„^false) eHC 



enc(p(Xp)) 



\J C' A enciBi) A ■ ■ ■ A enc{B„) 

y(CAB,A-AB„^p{x,,))eHC J I 



Note that the resulting formula enci'HC) contains a unique position Ip at which the 
definition of a relation symbol p is inlined; in the second equation, this position is 
marked with Ip. We then derive a disjunctive interpolant / for this set of positions in 
enci'HC). A syntactic solution of 'HC is then given by the definition 'ixp.ipixp) 
lilp)), for all relation symbols p. 
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B Solvability of Recursion-free Horn Clauses is PSPACE-hard: 
Proof of Lemma H] 

We reduce the unsatisfiability problem of quantified boolean formulae (known to be 
PSPACE-hard) to solvability of recursion-free Horn clauses. Assume an arbitrary QBF 
of the shape = QiXi.Q2X2-.--QnX„.F, where Qj € 3, V are quantifiers, x, are all vari- 
ables occurring in the formula, and F is a quantifier-free Boolean formula in CNF. 
We translate into a recursion-free set of Horn clauses: 

- a literal x, of a clause Cj in F becomes a Horn clause 

Xi - tl ^ Cij(Xl,X2, . . . fl, JCj+l, . . . , x„) 

- a literal -ix, of a clause Cj in F becomes a Horn clause 
Xi = fo -> Cijxi, X2, . . . , x,_i , to, Xi+i,..., x„) 

- a clause Cj in F becomes a set of Horn clauses 
Cij(xi,...) ^ Cj(xi,...), Cijixi,...) ^ Cjixi,...), ... 

- the body F becomes the Horn clause 
Ci(xi, . . .) A C2(xi, . . .) A ■ ■ ■ ^ F„{xi,. . .) 

- a quantifier Qi = 3 is translated as the two clauses 

F,+i(xi,. . .,x,_i,0) Fiixi,.. . ,x,_i), f,+i(xi,. . .,x,_i, 1) Fi(xi,...,Xi.i) 

- a quantifier Qi = V is translated as the clause 

f/+i(xi, . . . ,x,_i,0) A F,+i(xi, . . . ,x,_i, 1) Fi(xi,. . . ,x,_i) 

- finally, we add the clause Fi{) A fo fj false. 

It is now easy to see that the expansion expCHC) of the Horn clauses coincides with the 
result of expanding all quantifiers in (p. By Theorem|2] unsatisfiability of the expansion 
is equivalent to solvability of the set of Horn clauses. 

C Succinct Expansion of Recursion-free Horn Clauses 

The following lemma implies that solvability of recursion-free Horn clauses over the 
theory of Booleans is PSPACE-complete: 

Lemma 3 (Succinct expansion). Let "HC be a finite, recursion-free set of Horn clauses. 
If the underlying constraint language provides quantifiers, in ( deterministic) linear time 
a formula sexpifHC) can be extracted that is equivalent to expCHC). The number of 
quantifier alternations in sexp^HC) is at most two times the number of relation symbols 
in "HC. 

Proof. We assume that the Horn clauses are connected, i.e., the — >^/f(;-graph consists 
of a single connected component. Further, we assume that the first-order variables in 
any two clauses in 'HC are disjoint. The encoding of Horn clause as a QBF formula is 
then defined by the following algorithm in pseudo-code. The algorithm maintains a list 
quantifiers of quantifiers that have to be added in front of the formula. 

quantifiers «— e, checksRequired <— 
function Encode("KC) 



20 Rummer, Hojjat, Kuncak 



Order clauses IHC in topological order, starting from clauses with hesA false 
matrix <— EncodeBodies({C A p\it{} A ■ ■ ■ A /?„(?„) — > false e "TfC}, e) 
remaining <— {C A /7i(fi) A • • • A /7„(?„) — > g IHC) 
while remaining do 

Pick first clause C A A ■ ■ ■ A ;?„(?„) ^ pit) G TYC in topological order 

nextClauses <— {c e "WC | head symbol of c is p) 

remaining <— remaining \ nextClauses 

for ; <— 1 , . . . , arity(p) do 
Create fresh variable x,- 
quantifiers <— quantifiers . Vx, 

for (/, p(s)) e requiredChecks do > Checks with symbol p 

guard <— guard V (f A s - (xi, . . . , x„)) 
matrix <— matrix A (guard — > ENCODEBoDiEs(nex?C/aMiei, (xi, . . . , x„))) 
return quantifiers . matrix 

ftinction ENcoDEBoDmsCc/aM^es, s) 

result ^ false 

for C A /5i(fi) A ■ • • A /5„(r„) ^ /7(f) e clauses do 

quantifiers <— quantifiers . 3/v(C A A • • • A Pnitn) — > 

for J <- 1, ... ,n do 

Create fresh Boolean flag / 
quantifiers <— quantifiers . 3fi 
checksRequired <— checksRequired U {(/■, 
disjunct <— f=JACA/iA---A/„ 
reiw/? «— reiw/? V disjunct 
return rera/r 



We illustrate the succinct encoding using an example. Consider the clauses 

(C1) r(X,Y) ^ Y = X+ 1 

(C2) r(X,Y) ^ Y = X + 2 

(C3) s(X,Z) ^ r(X, Y) A r(Y Z) 

(C4) false <- s(X, Z) A X >= A Z <= 

The formula resulting from the succinct encoding is: 

3xO,x1,f1. V x3, x4. 3 x5, x6, x7, f2, f3. V x10, x11 . 3 x12, x13, x14, x15. 
(C4) (x1 >= A >= xO A f1 A 

((f1 A x1 = x3 A xO = x4) 
(C3) (x7 = x3 A x6 = x4 A f2 A f3)) A 
(((f2 Ax7 = x10Ax5 = x11) V 
(f3 A x5 = x1 A x6 = x1 1 )) ^ 
(C1) ((x13 = x10 A x12 = x11 A x12 = x13 + 1) V 
(C2) (x15 = x10Ax14 = x11 Ax14 = x15 + 2)))) 
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D Solvability of Recursion-free Horn Clauses over Presburger 
Arithmetic is co-NEXPTIME-Complete: Proof of Theorem |4] 

It has already been observed that solvability is in co-NEXPTIME, so we proceed to 
show hardness by direct reduction of exponential-time-bounded Turing machines (pos- 
sibly non-deterministic, with binary tape) to recursion-free Horn clauses over quantifier- 
free PA. A Turing machine M - (Q, 6, qo, F) is defined by 

- a finite non-empty set Q of states, 

- an initial state 6 Q, 

- a final state f & Q, 

- a transition relation 6c{(Q\ {/)) x {0, 1)) x (g x {0, 1) x {L,R}). 

Wlog, we assume that g = {0, 1 ,...,/) c Z and qo - 0. 

We define a relation symbol step(q, I, r, q' ,1' , r') to represent single execution steps 
of the machine. The parameters I, r, I', r' represent the tape, which is encoded as non- 
negative integers; the bits in the binary representation of the integers are the contents 
of the tape cells. I is the tape left of the head, r the tape right of the head. The least- 
significant bit of r is the tape cell at the head position. r' are the corresponding post- 
state variables after one execution step. 

A tuple (q, b,q',b',L) e 6 (moving the tape to the left) is represented by a clause 

stepiq, X, b + 2y, q , b' + 2x, y) 

where jc,}' are the implicitly universally quantified variables of the clause, and q, b, q',b' 
concrete numeric constants. Similarly, a tuple {q,b,q' ,b' ,R) e 6 is encoded as 

< jc < 1 ^ stepiq, x + 2y, b + 2z, q' , y, x + 2b' + 4z) 

To represent termination, we add a clause stepif, x, y, /, x, y), implying that the machine 
will stay in the final state / forever. 

We then introduce n further clauses to model an execution sequence of length 2": 

step{x,y,z,x' ,y' ,z) A step{x ,y' ,z ,x" ,y" ,z") — > step'^{x,y,z,x" ,y" ,z") 
step^ix,y,z,x' ,y' ,z') A step^ (x' ,y' , z' , x" ,y" , z") — > step^(x,y,z,x" ,y" ,z") 

step"-Ux,y,z,x',y,z') Astep"-Ux',y',z',x",y",z") ^ step"(x,y,z,x",y",z") 

The final clauses expresses that the Turing machine does not terminate within 2" 
steps, when started with the initial tape t: step"(0, 0, f, /, x,y) — > false. 

Clearly, the expansion expi'fiC) of the resulting set "HC of Horn clauses is unsatisfi- 
able (i.e., "HC can be solved) if and only if no execution of the Turing machine, starting 
with the initial tape f, terminates within 2" steps. 
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E Clauses Solvable Semantically but not Syntactically 

Consider the following clause set 'HC: 
multA{X,Y,Z) «-X = OaZ = 

multA(X,Y,Z) ^ multA(X1 ,Y,Z1) aX1=X-1aZ = Z1+Y 
multB(X,YZ) ^X = OaZ = 

multB(X,YZ) ^ multB(X1 ,YZ1 )aX1=X-1aZ = Z1+Y 
false ^ multA(X,YZ1) a multB(X,YZ2) A Z1 Z2 

The clauses define two version of a multiplication and assert that the result is function- 
ally determined by the first two arguments. Let a,b Q Z? denote the interpretations of 
multA and multB, respectively, in any solution that satisfies all Horn clauses. We show 
that the only possibility is that a - b - m where m - {{x,y,z) e Z? I z - xy} is 
the multiplication relation. Indeed, by induction we can easily prove that m Q a and 
m c b, using the first four clauses. To show the converse, suppose on the contrary, that 
(x, y,z) & a where z xy (the case for (x, y,z) & b is symmetrical). Because (x, y, xy) e b 
and X z, the last clause does not hold, a contradiction. 

Therefore, the clauses have a unique solution a - b - m, but this solution is not 
definable in a Presburger arithmetic (e.g. by semilinearity of the solution sets, or by 
decidability of Presburger arithmetic vs undecidability of its extension with multiplica- 
tion). Therefore, the above clauses give an example of clauses that are semantically but 
not syntactically solvable in Presburger arithmetic. 

Further such examples can be constructed by using Horn clauses to define other 
total computable functions that are not definable in Presburger arithmetic alone. 

F Completeness of Horn Clause Verification: Proof of Lemma |2] 

"=>": Define each relation symbol p as the disjunction V(p.Q)es A Q- Since S is closed 
under the edge relation, this yields a solution for the set 'HC of Horn clauses. 

"<=": Suppose "KC is syntactically solvable, with each relation symbol p being 
mapped to the constraint Cp. We define the predicate abstraction n(p) = {Cp}, and 
construct the ARG with nodes S - {(p, Cp)}, and the maximum edge relation E, which 
is closed. 



